head 1.1; access; symbols OPENPKG_E1_MP_HEAD:1.1 OPENPKG_2_STABLE_MP:1.1 OPENPKG_2_STABLE:1.1.0.2 OPENPKG_E1_MP:1.1; locks; strict; comment @# @; 1.1 date 2006.11.04.18.55.00; author rse; state Exp; branches 1.1.2.1; next ; commitid bQcmOODyIN2VKnTr; 1.1.2.1 date 2006.11.04.18.55.00; author rse; state dead; branches; next 1.1.2.2; commitid bgHcgbCknNb3PnTr; 1.1.2.2 date 2006.11.04.19.07.04; author rse; state Exp; branches; next ; commitid bgHcgbCknNb3PnTr; desc @@ 1.1 log @apply two bugfixes from Debian, a security fix and cleanup the installation hierarchy by removing useless files @ text @Index: src/font.c --- src/font.c.orig 2005-07-27 22:35:06 +0200 +++ src/font.c 2006-11-04 19:20:55 +0100 @@@@ -199,7 +199,7 @@@@ unsigned int i = 0; while (font_data->cache[i].name) - { if (strcmp (font_data->cache[i].path,entry->path) == 0) break; + { if (strcmp (font_data->cache[i].name,entry->name) == 0) break; i++; } @@@@ -422,7 +422,6 @@@@ fontmap_data->FD.FI = 0; - if (API->flags & WMF_OPT_SYS_FONTS) { if (API->flags & WMF_OPT_SYS_FONTMAP) { wmf_ipa_font_map_xml (API,&(fontmap_data->FD),options->sys_fontmap_file); } ----------------------------------------------------------------------------- Security Fix (CVE-2006-3376) Integer overflow allowing remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file. Index: src/player.c --- src/player.c.orig 2002-12-10 20:30:26 +0100 +++ src/player.c 2006-11-04 19:50:32 +0100 @@@@ -132,6 +132,14 @@@@ } } +#define WMF_SIZE_MAX ((size_t)(~((size_t)0))) /* portable version of SIZE_MAX */ + if (MAX_REC_SIZE(API) > WMF_SIZE_MAX / 2) + { + API->err = wmf_E_InsMem; + WMF_DEBUG (API,"bailing..."); + return (API->err); + } + /* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); @ 1.1.2.1 log @file libwmf.patch was added on branch OPENPKG_2_STABLE on 2006-11-04 19:07:04 +0000 @ text @d1 46 @ 1.1.2.2 log @MFC: recent fixes @ text @a0 46 Index: src/font.c --- src/font.c.orig 2005-07-27 22:35:06 +0200 +++ src/font.c 2006-11-04 19:20:55 +0100 @@@@ -199,7 +199,7 @@@@ unsigned int i = 0; while (font_data->cache[i].name) - { if (strcmp (font_data->cache[i].path,entry->path) == 0) break; + { if (strcmp (font_data->cache[i].name,entry->name) == 0) break; i++; } @@@@ -422,7 +422,6 @@@@ fontmap_data->FD.FI = 0; - if (API->flags & WMF_OPT_SYS_FONTS) { if (API->flags & WMF_OPT_SYS_FONTMAP) { wmf_ipa_font_map_xml (API,&(fontmap_data->FD),options->sys_fontmap_file); } ----------------------------------------------------------------------------- Security Fix (CVE-2006-3376) Integer overflow allowing remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file. Index: src/player.c --- src/player.c.orig 2002-12-10 20:30:26 +0100 +++ src/player.c 2006-11-04 19:50:32 +0100 @@@@ -132,6 +132,14 @@@@ } } +#define WMF_SIZE_MAX ((size_t)(~((size_t)0))) /* portable version of SIZE_MAX */ + if (MAX_REC_SIZE(API) > WMF_SIZE_MAX / 2) + { + API->err = wmf_E_InsMem; + WMF_DEBUG (API,"bailing..."); + return (API->err); + } + /* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); @